If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

WINS/DHCP lease time

Hi!

Is there any security issues with having short leasing times on a WINS/DHCP server, i.e. 1 day or even shorter? The default is 3 days (I think) but this value causes some issues for us and we are planning to lower this value to 1 day. Well this will cause more network traffic and DHCP communication but is there other issues this change can cause?

No, but when a user moves from a "office connection" to a VPN connection their computername is still pointing on the previous ip which is renewed/released 50% of the lease time. This causes issues with some applications since the data is sent to the "old" address registered in WINS and not their newly given VPN address. We suspect that the issue is the lease time and will change it but need to investigate if a shorter lease time can cause any problems.

Windows hosts will use the last DHCP address pulled as long as it's available. It's odd to me that you're seeing a 50% turnover unless I'm totally missing the story here. When you see windows hosts turning over DHCP addresses frequently it's a sign that the scope is limited and a bunch of hosts are using it.

Anyway, what VPN solution are you using?

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

The issue is when a user leaves office and connects a couple of hours later to the network via VPN and recieves a new IP-address, WINS still thinks that the users host name have the IP that was given earlier and not the newly given. This causes issues with some applications and can be solved by forcing a release of the registered address in WINS/DHCP.

With "50%" I meant that a "client renew address request" is sent after 50% of the lease time, i.e if the lease time is set to 72 hours a new request will be usually sent after 36 hours. We are using Check Point VPN.

Basically I'm wondering if a shorter lease time can cause issues in a point of security or other perspectives which seemes not to be the case. So, thanks for your answer and if a increase of the network traffic is the only result then a try shouldn't cause any harm.

This behavior is quite normal, but its not DHCP causing your problem its WINS. Windows clients that recieve an IP address from a DHCP offer, can also recieve a WINS server address from the DHCP server. WINS works much like DDNS, in that once the client gets its IP it will then attempt to register its (NetBIOS) name with its WINS server. The WINS server maintains a database like DNS and then resolves names to IPs Machines shutdown cleanly will actually 'release' their names, but if its a laptop, the user often just suspends and disconnects from the network. This will leave the name registered. The default period for it to hold the name (the 'release interval') is 6 days. So once the host appears elsewhere on the network, WINS will still resolve to the old location. The new name may be refused by the WINS server (the host will retry every 10 minutes), of course the name may also be accepted by another WINS server on the network but then you get WINS replication playing havoc (Some have the new address, some dont) and all sorts of silliness. Basically, you need to reconfigure the 'release interval' for WINS on the WINS server(s), under intervals in the WINS admin snap.

-Maestr0

\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

I'm with Maestr0 on this one ... Seems to me to be more a WINS/DNS related problem.

How is your VPN configured, does your VPN server/Box have a DHCP relay, does it have the same settings as the inside DHCP (except for the gateway) ... Or are you using other setting on the VPN server/box itself ?

Like TH13 said ...even if you reboot your computer and it "asks" for an IP-address, it will normally get the same as before the reboot (aslong as it's available). So shortening the lease will not fix that problem.

Automatic scavenging of the WINS database takes place at defined intervals, this between the Renewal and the Extinct intervals you defined ... So maybe you need to check those intervals ??

Basically again ... I'm with Maestr0 on this one, and I'm not telling anything new or anything my fellow AO'ers mentioned.